[pmwiki-users] How to optimize php.ini
Patrick R. Michaud
pmichaud at pobox.com
Tue Sep 5 13:48:18 CDT 2006
On Tue, Sep 05, 2006 at 07:43:53PM +0100, Iain D. Brown wrote:
> Tom Lederer wrote:
>
> >> Due to the recent affairs, i wondered if someone of greater
> >> knowledge could tip me how to set the options (those i can) in
> >> php.ini to use pmwiki at its best.
>
> Pm replied:
>
> > Here's my suggestions:
>
> > session.auto_start Off
> > session.use_cookies On
> > session.use_trans_sid Off
> > magic_quotes_runtime Off [1]
> > magic_quotes_gpc Off [2]
> > register_globals Off [3]
> > display_errors On for debugging, Off for production [4]
> > session.cookie_lifetime 0
>
> This, and Pm's very useful information in his message on PmWiki
> security vulnerability today, makes me wonder if someone has
> created a document on hardening PmWiki.
Actually, I'm planning to create a tool for it. Essentially there
will be a cookbook recipe that one installs to provide diagnostic
output, and then a tool on pmwiki.org will analyze the site for
various known vulnerabilities and recommend improvements/changes,
along with links to pages on pmwiki.org that describe the
issue(s) in great detail.
> To ensure one's installation of PmWiki is as secure as possible,
> should I be following Pm's suggestions, above? Are there any
> implications for the functioning of my PmWiki site if I follow the
> above? Are there any other settings I should be securing?
The settings I gave above shouldn't affect the functioning
of an existing site at all. The other things that are
worth securing are making sure that the wiki.d/ directory
isn't accessible to the web, and that passwords are set as
you expect.
Pm
More information about the pmwiki-users
mailing list